search

thevahidal / soul

🕉 A SQLite REST and realtime server
https://thevahidal.github.io/soul/
MIT License
1.45k stars 49 forks source link

Protect "transactions" endpoint #172

Closed thevahidal closed 1 month ago

thevahidal commented 3 months ago

Is your feature request related to a problem? Please describe. Right now that we introduced authentication and authorization we need to protect transactions endpoint as well, as it has all the privileges on database.

Describe the solution you'd like Transactions endpoint should be used only by superusers.

Describe alternatives you've considered We can get rid of this endpoint since there's no obvious usage for it.

Additional context N/A

IanMayo commented 3 months ago

I'd quite like something more subtle than superusers. What if we also add a flag in Role or User that indicates that the role can submit transactions?

There could be sense in your alternative. We could Archive the end-point until someone has a requirement for it. Then we re-implement it, including protection.

thevahidal commented 3 months ago

Yeah, I agree to archive / delete it for now.

IanMayo commented 3 months ago

Hmm, I've just thought of a half-way house. How about it is only enabled if auth is off? If it is called with auth on, we could return an error indicating that The transactions end-point is not currently compatible with Soul authentication.

thevahidal commented 3 months ago

That's actually a good idea, though from the beginning of Soul I was really concerned about this endpoint as the power it has is too much.